Debian Security Advisory
DLA-2062-1 sa-exim -- LTS security update
- Date Reported:
- 09 Jan 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 946829.
In Mitre's CVE dictionary: CVE-2019-19920.
- More information:
It was found that sa-exim, the SpamAssassin filter for Exim, allows attackers to execute arbitrary code if users are allowed to run custom rules. A similar issue was fixed in spamassassin, CVE-2018-11805, which caused a functional regression in sa-exim. This update restores the compatibility between spamassassin and sa-exim. The security implications of sa-exim's greylisting function are also documented in /usr/share/doc/sa-exim/README.greylisting.gz.
For Debian 8
Jessie, this problem has been fixed in version 4.2.1-14+deb8u1.
We recommend that you upgrade your sa-exim packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS